Skip to content

Commit

Permalink
[resotocore][fix] Filter accounts when marking resources as compliant
Browse files Browse the repository at this point in the history
  • Loading branch information
aquamatthias committed Nov 15, 2023
1 parent b8d575c commit 5eb96f2
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 6 deletions.
23 changes: 18 additions & 5 deletions resotocore/resotocore/db/graphdb.py
Original file line number Diff line number Diff line change
Expand Up @@ -114,7 +114,11 @@ def update_nodes_metadata(

@abstractmethod
async def update_security_section(
self, report_run_id: str, iterator: AsyncIterator[Tuple[NodeId, Json]], model: Model
self,
report_run_id: str,
iterator: AsyncIterator[Tuple[NodeId, Json]],
model: Model,
accounts: Optional[List[str]] = None,
) -> Tuple[int, int]:
pass

Expand Down Expand Up @@ -447,7 +451,11 @@ async def delete_children(element: Json) -> None:
await self.db.delete_vertex(self.name, {"_id": f'{self.vertex_name}/{node["id"]}'})

async def update_security_section(
self, report_run_id: str, iterator: AsyncIterator[Tuple[NodeId, Json]], model: Model
self,
report_run_id: str,
iterator: AsyncIterator[Tuple[NodeId, Json]],
model: Model,
accounts: Optional[List[str]] = None,
) -> Tuple[int, int]: # inserted, updated
temp_collection = await self.get_tmp_collection(report_run_id)
now = utc_str()
Expand Down Expand Up @@ -508,13 +516,14 @@ async def update_chunk(chunk: Dict[NodeId, Json]) -> None:

async def move_security_temp_to_proper() -> None:
temp_name = temp_collection.name
account_filter = ("and e.refs.account_id in [" + ",".join(accounts) + "]") if accounts else ""
aql_updates = [
# Select all new or updated vulnerable nodes. Insert into history and update vertex.
f'for e in {temp_name} filter e.action=="node_vulnerable" insert e.data in {self.node_history} update {{_key: e.node_id, security: e.data.security}} in {self.vertex_name} OPTIONS {{mergeObjects: false}}', # noqa
# Update security.run_id for all items with the same security issues
f'for e in {temp_name} filter e.action=="mark" update {{_key: e.node_id, security: {{run_id: e.run_id}}}} in {self.vertex_name} OPTIONS {{mergeObjects: true}}', # noqa
# Select all remaining nodes with a different run_id -> they are compliant again
f'for e in {self.vertex_name} filter e.security.run_id!=null and e.security.run_id!="{report_run_id}" insert MERGE(UNSET(e, "_key", "_id", "_rev", "flat", "hash"), {{id: e._key, change: "node_compliant", changed_at: "{now}", security: MERGE(e.security, {{closed_at: "{now}"}})}}) in {self.node_history} OPTIONS {{mergeObjects: true}} update {{_key: e._key, security: {{reopen_counter: e.security.reopen_counter, closed_at: "{now}"}}}} in {self.vertex_name} OPTIONS {{mergeObjects: false}}', # noqa: E501
f'for e in {self.vertex_name} filter e.security.run_id!=null and e.security.run_id!="{report_run_id}" {account_filter} insert MERGE(UNSET(e, "_key", "_id", "_rev", "flat", "hash"), {{id: e._key, change: "node_compliant", changed_at: "{now}", security: MERGE(e.security, {{closed_at: "{now}"}})}}) in {self.node_history} OPTIONS {{mergeObjects: true}} update {{_key: e._key, security: {{reopen_counter: e.security.reopen_counter, closed_at: "{now}"}}}} in {self.vertex_name} OPTIONS {{mergeObjects: false}}', # noqa: E501
]
updates = ";\n".join(map(lambda aql: f"db._createStatement({{ query: `{aql}` }}).execute()", aql_updates))
await self.db.execute_transaction(
Expand Down Expand Up @@ -1477,9 +1486,13 @@ async def update_nodes_metadata(
yield a

async def update_security_section(
self, report_run_id: str, iterator: AsyncIterator[Tuple[NodeId, Json]], model: Model
self,
report_run_id: str,
iterator: AsyncIterator[Tuple[NodeId, Json]],
model: Model,
accounts: Optional[List[str]] = None,
) -> Tuple[int, int]:
return await self.real.update_security_section(report_run_id, iterator, model)
return await self.real.update_security_section(report_run_id, iterator, model, accounts)

async def merge_graph(
self,
Expand Down
2 changes: 1 addition & 1 deletion resotocore/resotocore/report/inspector_service.py
Original file line number Diff line number Diff line change
Expand Up @@ -208,7 +208,7 @@ async def perform_benchmarks(
# In case no run_id is provided, we invent a report run id here.
run_id = report_run_id or uuid_str()
await self.db_access.get_graph_db(graph).update_security_section(
run_id, self.__benchmarks_to_security_iterator(result), model
run_id, self.__benchmarks_to_security_iterator(result), model, accounts
)
return result

Expand Down

0 comments on commit 5eb96f2

Please sign in to comment.